Are my AutoIt3 exe's infected

[BasicOs]

Yes to the first question, and yes to the second. The reason AV companies just decide upon UPX as being bad is because that is a common signature, and the "lazy" way of getting it done.

JS

For sure, they can look for traces in many ways.

I made an Antivir for a group of customers, a long time ago(Echo/Bleah), and I know what it its looking for sigs, traces, reading Ram, Reading disk, fat, fixing mbr, accessing to bites level, and so on ...

If they work a little more, even they could identify some dangerous autit code directly after UPX.

Problem could evolve and take only months vir-makers make some changes, that could be really difficult to know what is dangerous or not. I will not explain how obviously.

I see in a future we should solve that problem by our selves helping to Avir companys, if they need, how to make some rules of what is dangerous and what not. As nobody knows better Autoit code than self-Scripters.(I hope that will not be necessary)

I think by example there is something made by Devs in eval() udf restrictions ....

Edited November 8, 2006 by BasicOs

[JSThePatriot]

For sure, they can look for traces in many ways.

I made an Antivir for a group of customers, a long time ago(Echo/Bleah), and I know what it its looking for sigs, traces, reading Ram, Reading disk, fat, fixing mbr, accessing to bites level, and so on ...

If they work a little more, even they could identify some dangerous autit code directly after UPX.

Problem could evolve and take only months vir-makers make some changes, that could be really difficult to know what is dangerous or not. I will not explain how obviously.

I see in a future we should solve that problem by our selves helping to Avir companys, if they need, how to make some rules of what is dangerous and what not. As nobody knows better Autoit code than self-Scripters.(I hope that will not be necessary)

I think by example there is something made by Devs in eval() udf restrictions ....

The Developers have certainly set an example by limiting functionality in some areas, but also Jon has already spoken with major AV companies and has been denied on his interest of sharing the AutoIt signature. Jon has tried on multiple occasions (as my understanding goes), but to no avail.

I do appreciate the response though,

JS

[BasicOs]

The Developers have certainly set an example by limiting functionality in some areas, but also Jon has already spoken with major AV companies and has been denied on his interest of sharing the AutoIt signature. Jon has tried on multiple occasions (as my understanding goes), but to no avail.

I do appreciate the response though,

JS

Sorry,

I did not mean that because all signatures are the same for autoit engine and upx, I meant after upx+autoit engine+Scripting code.

How do they detect changes is the scripting code? they do now binary level but that check can be overriden, what happens then when the low level checking is not anymore working? ... that was what I was talking about in last post ..... I do not give more details because it is not a joke.

if some qualified Scripter wish, I can give details of:

The danger and how is this Antivirus-Bug working.

Exactly how they use the virus signatures.

How I think, that AntivirGbh soluted the false check, easily.

How next time it can became quite difficult even a headache for any antivir Company

I will not explain anymore, because I do not want to give a Virus-Making Lesson... of how the bug is.

P.S. Aha interface does not have problems with virus anyway, as there is no exe in client computer.

[Jos]

The sticky thread in not ment to post this BS....